Date: October 24th 2022

Revision Date Changes
1.3 October 24th 2022 Update the fixed release info
1.2 October 7th 2022 Update the mitigation configuration
1.1 September 29th 2022 Update the fixed release info and required configuration
1.0 September 27th 2022 Initial release

 

This security advisory addresses four CVEs:

  • CVE-2021-27853
    • CVSSv3.1 Base Score: 4.7( CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N )
    • CWE: CWE-290 Authentication Bypass by Spoofing
    • Tracking Bug: BUG615000
  • CVE-2021-27854
    • CVSSv3.1 Base Score: 4.7( CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N )
    • CWE: CWE-290 Authentication Bypass by Spoofing
    • Tracking Bug: BUG682330
  • CVE-2021-27861
    • CVSSv3.1 Base Score: 4.7( CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N )
    • CWE: CWE-290 Authentication Bypass by Spoofing
    • Tracking Bug: BUG615000
  • CVE-2021-27862
    • CVSSv3.1 Base Score: 4.7( CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N )
    • CWE: CWE-290 Authentication Bypass by Spoofing
    • Tracking Bug: BUG682330

 

Description

This advisory documents the impact of 4 publicly disclosed vulnerabilities within Ethernet encapsulation protocols on Arista products. These issues affect multiple networking vendors and the coordination of this disclosure has been handled by IEEE. Affected Arista products include EOS systems and Wi-Fi Access Points. The affected software releases are listed below.

The issues involve how L2 network security controls can be bypassed using VLAN 0 stacking (hereby referred to as the “VLAN 0 header stack variant”) or 802.3 LLC headers with invalid length (hereby referred to as the “LLC Header Invalid Length Variant”). An attacker can send crafted packets through vulnerable devices to cause Denial-of-Service (DoS) or to perform a Man-in-the-Middle (MitM) attack against L2 reachable hosts in the network.

These issues are tracked via the following four CVEs:

  • CVE-2021-27853: Layer 2 network filtering capabilities such as IPv6 RA guard or ARP inspection can be bypassed using combinations of VLAN 0 headers and LLC/SNAP headers.
  • CVE-2021-27854: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using combinations of VLAN 0 headers, LLC/SNAP headers in Ethernet to Wifi frame translation and the reverse Wifi to Ethernet.
  • CVE-2021-27861: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length (and optionally VLAN0 headers).
  • CVE-2021-27862: Layer 2 network filtering capabilities such as IPv6 RA guard can be bypassed using LLC/SNAP headers with invalid length and Ethernet to Wifi frame conversion (and optionally VLAN0 headers).

As of the time of this publication, Arista is not aware of any malicious uses of this issue in customer networks.

Vulnerability Assessment

Affected Software

CVE-2021-27853 and CVE-2021-27861
  • EOS Versions
    • 4.28.2F and older releases in the 4.28.x train
    • 4.27.6M and older releases in the 4.27.x train
    • 4.26.7M and older releases in the 4.26.x train
    • 4.25.9M and older releases in the 4.25.x train
    • 4.24.10M and older releases in the 4.24.x train
    • 4.23.12M and older releases in the 4.23.x train
    • 4.22.12M and older releases in the 4.22.x train
    •  
  • Wi-Fi Access Points
    • 12.0.1-48 and older releases for the 12.0 train
    • 11.0.1-49 and older releases for the 11.0 train
    • 10.0.1-31 and older release for the 10.0 train
CVE-2021-27854 and CVE-2021-27862
  • Wi-Fi Access Points
    • 12.0.1-48 and older releases for the 12.0 train
    • 11.0.1-49 and older releases for the 11.0 train
    • 10.0.1-31 and older release for the 10.0 train

NOTE: Both a vulnerable network device and a vulnerable host networking stack must be present for the issues to be exploitable. Thus, in addition to network devices, it is strongly recommended to evaluate the exposure of the IP stack of connected hosts for a complete assessment of these vulnerabilities.

Affected Platforms

CVE-2021-27853 and CVE-2021-27861

Platforms impacted by VLAN 0 header stack variant

  • ALL Arista EOS Based products
    • 7010 and 7010X series
    • 7020R series
    • 7050X/X2/X3/X4 series
    • 7060X/X2/X4 series
    • 7150 series
    • 7160 series
    • 7170 series
    • 710P series
    • 720XP series
    • 722XPM series
    • 750X series
    • 7250X series
    • 7260X/X3 series
    • 7280E/R/R2 series
    • 7280R3 series
    • 7300X/X3 series
    • 7320X series
    • 7358X4 series
    • 7368X4 series
    • 7388X5 series
    • 7500E/R/R2 series
    • 7500R3 series
    • 7800R3 series
    •  
  • Wi-Fi Access Points
    • 11ac wave-2 Access Point series (C100, C110, W118, C120, C130, O105 and their variants)
    • 11ax (Wi-Fi6) Access Point series (C200, C230, O235, C250, C260, C360 and their variants)

Platforms impacted by LLC Header Invalid Length Variant

  • Arista EOS Based products
    • 7010 and 7010X series
    • 7050X/X2/X3/X4 series
    • 7060X/X2/X4 series
    • 7150 series
    • 7160 series
    • 7170 series
    • 710P series
    • 720XP series
    • 722XPM series
    • 750X series
    • 7250X series
    • 7260X/X3 series
    • 7280R3 series
    • 7300X/X3 series
    • 7320X series
    • 7358X4 series
    • 7368X4 series
    • 7388X5 series
    • 7500R3 series
    • 7800R3 series
    •  
  • Wi-Fi Access Points
    • 11ac wave-2 Access Point series (C100, C110, W118, C120, C130, O105 and their variants)
    • 11ax (Wi-Fi6) Access Point series (C200, C230, O235, C250, C260, C360 and their variants)
CVE-2021-27854 and CVE-2021-27862
  • Wi-Fi Access Points
    • 11ac Wave-2 Access Point series (C100, C110, W118, C120, C130, O105 and their variants)
    • 11ax (Wi-Fi 6) Access Point series (C200, C230, O235, C250, C260, C360 and their variants)

The following product versions and platforms are not affected by any of the listed CVEs

  • ClouldEOS and vEOS Router
  • CloudVision Wi-Fi, virtual appliance or physical appliance
  • CloudVision Wi-Fi cloud service delivery
  • CloudVision Portal, virtual appliance or physical appliance
  • CloudVision as-a-Service
  • Arista 7130 Systems running MOS
  • Arista Converged Cloud Fabric (CCF) and DANZ Monitoring Fabric (DMF) (Formerly Big Switch Nodes for BCF and BMF)
  • Awake Security Platform
  • NG Firewall and Micro Edge

The following products are not affected by LLC Variant of CVE-2021-27853 and CVE-2021-27861 but are still affected by the VLAN 0 Header Stack Variant

  • 7020R Series
  • 7280E/R/R2 series
  • 7500E/R/R2 series

Required Configuration for Exploitation

CVE-2021-27853 and CVE-2021-27861

EOS Configuration

Any of the following L3 aware L2 security filtering features is in use:
ACLs configured on Ethernet ports, Port-Channels or VLANs

ip access-group <aclName> in
ipv6 access-group <aclName> in
 

IP Locking feature family

(config-if-EtX)# address locking ipv4
(config-if-EtX)# address locking ipv6
(config-if-EtX)# address locking ipv4 ipv6
 
in conjunction with 
(config-address-locking)# dhcp server ipv4 <A.B.C.D>
(config-address-locking)# local-interface <interface>
and/or
(config-address-locking)# locked-address [ipv4|ipv6] enforcement disabled
 

ARP Inspection

ip arp inspection
 

Interface Traffic Policies

(config-if-EtX/Y)#traffic-policy input <traffic-policy-name>
 

Segment Security Policies

(config)#router segment-security
(config-router-seg-sec)#no shutdown
 
Wi-Fi Access Point Configuration

SSID Firewall rules matching L3 and L4 headers

 
CVE-2021-27854 and CVE-2021-27862
Wi-Fi Access Point Configuration

SSID Firewall rules matching L3 and L4 headers

Indicators of Compromise

There are no visible indicators of compromise.

Mitigation

EOS Based Products

The mitigations below are supported on all the EOS platforms (except the 7170 series) in the affected releases.

To mitigate the VLAN 0 header stack variant vulnerability, the following MAC ACL can be configured.

mac access-list Vlan0HeaderVariant
   deny any any 0x8100
   deny any any 0x88a8
   permit any any

Whenever the switch is unable to resolve the final protocol ethertype of an Ethernet frame with a VLAN tag sequence, the final ethertype is determined to be one of the known VLAN tag ethertypes (Tag Protocol ID or TPID) 0x8100 or 0x88a8. The ‘Vlan0HeaderVariant’ ACL causes such frames to be discarded.

To mitigate the LLC header invalid length variant vulnerability, the following MAC ACL such as the sample below can be configured

mac access-list allowSpecificEtypes
   permit any any ip
   permit any any ipv6
   permit any any arp
   deny any any
 

The ‘allowSpecificEtypes’ ACL provides protection against both variants by ensuring that a switch is allowed to forward a packet only if it is successfully able to identify a higher layer protocol in use in the packet header behind a sequence of VLAN tags. This ACL functions as a permit list to allow known good ethertypes through and drops everything else. This means that all higher layer protocol ethertypes being used in a network have to be identified and included in the permit list to ensure connectivity for those protocols.

Note: The TPID ethertype values 0x8100 and 0x88a8 must not be included in the permit list. The switch will only identify the ethertype of a frame as one of these values only if it encounters a VLAN tag sequence that is long enough that it is unable to parse and derive a final ethertype. 

Once a suitable ACL is constructed, it must be applied on all L2 switch ports connected to uncontrolled hosts.

(config)#interface etX/Y
(config-if-EtX/Y)#mac access-group <mitigationAclName> in

Wi-Fi Access Point

There are no known mitigations for Wi-Fi access points.

Resolution

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each software release that contains all the fixes listed below.

EOS Releases that resolve the CVEs

CVE-2021-27853 and CVE-2021-27861
  • 4.28.3M and later releases in the 4.28.x train
  • 4.27.7M and later releases in the 4.27.x train
  • 4.26.8M and later releases in the 4.26.x train
  • 4.25.10M and later releases in the 4.25.x train
  • 4.24.11M and later releases in the 4.24.x train
  • 4.23.13M and later releases in the 4.23.x train
  • 4.22.13M and later releases in the 4.22.x train

Post Upgrade Steps

The following global commands MUST be enabled to resolve the vulnerabilities.

To fix the VLAN 0 header stack variant vulnerability

switchport vlan tag validation

To fix the LLC header variant vulnerability

switchport ethernet llc validation

Only platforms which are affected by a variant will be able to run the corresponding configuration command to resolve the issue. Cross reference your platform with the affected variant (Affected Platforms section above) to determine the configuration command(s) which should be set. A configuration command which does not apply to the platform will be unavailable on that platform.

Wi-Fi Access Point Software Releases that resolve the CVEs

CVE-2021-27853, CVE-2021-27854, CVE-2021-27861 and CVE-2021-27862
  • 12.0.1-48.20 and later releases for the 12.0.1 train
  • 11.0.1-49.16 and later releases for the 11.0.1 train

Note: all releases in the 10.0 train are affected by the CVEs. Please upgrade to the fixed release versions in 11.0.1 or 12.0.1 train as soon as possible. If you require further assistance, please contact the Arista Networks Technical Assistance Center (TAC) with methods listed below.

Post Upgrade Steps

There are no post upgrade steps required for Wi-Fi.

Hotfix

There is no hotfix available for any of the affected platforms.

References

For More Information

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

Open a Service Request

By email: This email address is being protected from spambots. You need JavaScript enabled to view it.
By telephone: 408-547-5502 ; 866-476-0000
Contact information needed to open a new service request may be found at: https://www.arista.com/en/support/customer-support